[1] EPIC, Archive File Brief Supporting Release of Abu Ghraib ImagesEPIC and the National Security Archive have filed an amicus brief urgingan appeals court to permit the disclosure of photos and videos
showingAmerican troops abusing detainees at Abu Ghraib prison in Iraq. ThePentagon has refused to release the information to the
American CivilLiberties Union under the Freedom of Information Act, claiming that itwould endanger U.S. soldiers serving in Iraq. EPIC and the Archive arguethat the government is turning FOIA on its
head by claiming thatinformation likely to expose government misconduct should be withheld toprevent public outrage.

In this case, the ACLU submitted Freedom of Information Act requests toseveral government agencies for information about the treatment ofdetainees in U.S. custody, including controversial images
of abuse thathad been reported in the media. When the government failed to respond tothe ACLU's request nearly a year later, the
organization filed suit inthe District Court for the Southern District of New York. U.S. DistrictJudge Alvin K. Hellerstein reviewed
a sampling of photos depicting abuseof detainees, and ordered the government to release them in redactedform to protect the privacy
of the pictured individuals.

The government appealed the ruling to the Second Circuit Court ofAppeals, arguing that disclosure of the images would "endanger the
lifeor physical safety" of U.S. troops and coalition forces by provokinginsurgent and terrorist attacks against them. The government
also saidthat the photos should not be released, even in the redacted formrequired by Judge Hellerstein, because such disclosure
could invade thepersonal privacy of the detainees.

The amicus brief written by EPIC and the Archive argues that thegovernment's claims undermine the FOIA's purpose of promoting open,honest
and accountable government. The brief shows that U.S. courtshave never allowed the potential for public anger to thwart the right
tofree expression guaranteed by the Constitution and reflected, in part,by the FOIA.

The brief also argues that disclosure of the photos will not threatenpersonal privacy because Judge Hellerstein has already taken
precautionsto safeguard the rights of the pictured detainees. Disclosure of theseredacted images will advance the public interest
in examining thepropriety of the U.S. soldiers' conduct. Such disclosure will also helpto hold higher government officials responsible
for the abuses at AbuGhraib.

[2] EPIC Testifies Against Social Security Number ExpansionIn testimony before the House Subcommittee on Social Security, EPICExecutive Director Marc Rotenberg urged Congress not to expand
the usesof the Social Security number and the Social Security card. "Everysystem of identification is subject to error, misuse, and
exploitation,"Rotenberg said.

The hearing was the fourth in a series held by Representative McCrery(R-LA) to focus on high-risk issues facing the Social Security
number.The hearings, held over the course of the last four months, examinedfraud, the use of the number in verifying employment eligibility,
andpossible modification of the card.

Some members of Congress have proposed that the card contain digitalphotos, machine-readable identifiers, and biometric identifiers
thatcould turn the Social Security card into a national ID card. CurrentSocial Security cards, while bearing anti-counterfeiting
features suchas those used on banknotes, are not intended or designed to be used foridentification.

In creating the Social Security Administration in the 1930s, Congresswas concerned with the number being used as a universal identifier
thatcould aid in government tracking of activities, and that the first actof the newly formed Administration was to limit the card's
use. Congressalso halted later expansions of expansion of the card's role by passingSection 7 of the Privacy Act of 1974. Putting
the card to new,unintended uses, Rotenberg testified, would erode privacy, runningcounter to this trend of protection. Rotenberg
also noted that theimproper use of the SSN for identification by the private sectorcontributes to identity theft.

Nevertheless, members of Congress, including Representatives DavidDreier (R-CA) and Silvestre Reyes (D-TX), called for additions to
thecard. Representative Drier insisted both that Social Security numbersare already used for identification purposes by the private
sector, andalso that the new photograph-bearing, machine-readable card would not,in fact, be an identification document.

Frederick Streckewald of the Social Security Administration testifiedthat adding ID-like features to the Social Security card would
cost atleast $9.5 billion. Dr. Stephen Kent of the National Research Councilalso testified that complex ID systems like the one proposed
for theSocial Security card often are pressed into unintended secondary usesthat can cause privacy and security problems.

For instance, comapnies only have to notify consumer of data breacheswhere "information is reasonably likely to have been or to be
misused ina manner causing substantial harm or inconvenience." However, manystates have more stringent requirements that cause notices
to be issuedwhenever a security breach occurs. The reasoning behind theserequirements is that businesses have significant incentives
not to givenotice, and may overlook breaches and their potential harms to avoidembarrassment. But other loopholes in the language
further limit therequirement to give notice. These include that the information must be"sensitive financial personal information,"
and that the company mustknow the scope of the breach (in many cases, the scope is unknown).

The credit freeze provisions are similarly weak. Credit freeze is theability of an individual to limit disclosure of their consumer
report tonew creditors, thus stopping companies from opening new accounts. Thiserects a nearly perfect shield against identity theft.
Many states allowany concerned residents to freeze their credit as a precaution againstfuture fraud. H.R. 3997, however, only allows
credit freeze once someonehas become a victim of identity theft. Furthermore, H.R. 3997 creates adifficult to use freeze mechanism
that requires the victim to provideproof of the crime, to send the freeze request by certified mail, and itallows the consumer reporting
agency to wait five business days beforeimplementing the freeze. These inconveniences are designed to stopconsumers from freezing
their reports.

The main driver of this legislation is preemption--the desire of manybusinesses to supersede stricter state laws. Additionally, the billprohibits enforcement by the state attorneys
general, weakening anypossible enforcement of the law. The bill will next be considered byother committees in the House and Senate,
where there is a possibilitythat it could be strengthened.

[4] Judge Restricts Justice Department's Demand for Google Records On March 17, a federal district judge in California issued an orderlimiting the Justice Department's demand for records from Google.
WhileGoogle must still turn over a list of 50,000 web addresses, it will nothave to reveal any Internet search terms submitted by
users.

The government's demands had been significantly narrowed compared, tothe subpoena filed last August. That subpoena asked for the addresses
ofall web sites indexed by Google, as well as every search term enteredinto Google during a two-month period in 2005. Yahoo, Microsoft,
andAOL, were also asked to provide records. Of the companies, Google aloneobjected, claiming that the demand threatened Google's
trade secrets andits image as a protector of users' privacy.

In making the decision, Judge Ware of the Northern District ofCalifornia recognized that the demand affected not just Google, but
alsothe privacy rights of individual Google users. Not only do users wantthe terms they search for to be private, search terms alone
cansometimes reveal a user's identity, such as when people search for theirsocial security numbers or credit card numbers to see
if thatinformation is available on the Internet. The judge also noted that thegovernment might, in looking through search terms,
decide to follow upon information for unauthorized purposes, quoting a Justice Departmentspokesperson who said that "if something
raised alarms, we would hand itover…"

Because of these concerns, the judge ruled that Google did not have toturn over search terms, but that the list of web addresses,
since theydid not impact privacy, had to be turned over.

The Justice Department is seeking the records to conduct a statisticalstudy for the defense of the Child Online Protection Act, an
onlinecensorship law that was blocked as unconstitutional by the Supreme Courtin 2004. The government has given few details as to
how it intends touse the information--an omission that the judge called "particularlystriking," considering the time the government had to prepare the case,and given that
it already had essentially the same information from theother major search engines.

The Child Online Protection Act makes it a criminal offense for anyoneto post adult material on the web, unless they first collect
informationfrom users proving that the user is not a minor. The Supreme Courtbarred enforcement of the law, saying that the government
had not proventhat this restriction on free speech was the most effective means toprevent minors from viewing adult material on the
Internet.

[5] Security Flaws at Retailers Affect Thousands of Debit Card HoldersHundreds of thousands of debit cards may have been affected by fraud,but affected banks, card companies, and retailers are releasing
very fewdetails on the incident. Consumers first became aware of the problem asmajor banks, including Citibank, Wells Fargo, Washington
Mutual, andBank of America blocked ATM transactions in Canada, the United Kingdomand Russia, and quietly began issuing new debit
cards to customers.

The affected banks have since told reporters that the problems wererelated to fraudulent transactions that had been traced to data
breachesat unspecified retailers. Recent reports have named OfficeMax and Sam'sClub stores as likely sources for the breach, although
OfficeMaxcontinues to deny that it knew of any security mishaps.

Thieves have apparently been able to collect not only the data containedwithin the magnetic strips on victims' ATM cards, but also
the PIN codesthat allow access to their accounts. Fraudulent withdrawals in Canada,the United Kingdom, and Russia apparently triggered
the blocks in thosecountries, and have led to the arrests of 14 people in New Jersey.

When consumers purchase goods with an ATM card, the PIN entered into theregister is supposed to be encrypted when it is sent out forverification,
and deleted after the transaction is complete. For thebreaches to have occurred, the information must have been improperlyretained
on a computer and the thieves must have been able to decryptthe coded PINs, either because the encryption key was carelessly storedon
the same server, or through hacking by an insider.

The scope of the breach underscores the need for laws that will protectconsumers from such crimes, by notifying them when breaches
occur andallowing them to freeze accounts if they suspect fraud. Many billscurrently before Congress provide loopholes that would
allow breacheslike this one to go unreported, and would not allow victims to placesecurity freezes on their accounts unless they
first filed a policereport. Some of the proposed laws would also eliminate state strongerstate consumer protections.

Senators Max Baucus (D-MT) and Mark Pryor (D-AR) have proposed the CyberSafety for Kids Act, a bill that would require the creation
of a .xxxtop-level domain. The law would require websites in the business ofdistributing adult material to register and host all
adult material atthe .xxx domain, instead of using any of the current top-level domains(such as .com, .net, .biz or others). Those
who fail to use the .xxxdomain would be subject to civil penalties by the Department ofCommerce. The bill has not yet been introduced.

Text of the .xxx TLD Bill (pdf):

http://www.boingboing.net/images/CyberSafetyforKids.pdfSupreme Court Limits Warrantless Searches of Homes by PoliceThe Supreme Court ruled Wednesday in Georgia v. Randolph that police,who
do not have a warrant, may not search a home when one residentallows entry but another refuses it. Officers found evidence of illegaldrugs
in a home after a woman had given her consent to the officers buther husband had objected. In 1974, the Supreme Court ruled in UnitedStates
v. Matlock that one occupant may give police permission to searcha residence without a warrant if the other resident either is absent
ordoes not object.

Supreme Court Opinion in Georgia v. Randolph (pdf):

http://www.supremecourtus.gov/opinions/05pdf/04-1067.pdfFederal Court: Fliers Must Complete Search Process Once It's BegunLast week, the Ninth Circuit Court of Appeals ruled in United States
v.Aukai that travelers who begin the security screening process atairports cannot change their minds. The court said passengers who
walkthrough airport metal detectors implicitly consent to a search, and theycan't revoke that consent even if they are chosen to
undergo a moreextensive "secondary screening" process. The court did not rule onwhether a passenger could refuse searches that are
more invasive thansimple pat-downs.

http://www.epic.org/privacy/airtravel/profiling.htmlWashington State Passes Pretexting Law Washington State appears to be the first to pass legislation to protecttelephone records. The House and Senate have passed SB 6776,
but thebill still awaits the Governor's signature. SB 6776 prohibits theintentional sale of phone records without consent of the
account holder.It also prohibits pretexting. Under the law, it is a "class c felony" tosell, pretext, or knowingly purchase phone records, while
it is a "grossmisdemeanor" to knowingly receive records. There are also civilremedies, including a $5,000 liquidated damages award
and attorneys'fees. Government entities and telephone companies are exempt from thelaw.

http://apps.leg.wa.gov/billinfo/summary.aspx?bill=6776&year=2006RFID Chips Vulnerable to VirusesA study by European researchers has revealed that radio frequencyidentification (RFID) systems can
be affected by viruses encoded intoindividual chips. Melanie Rieback, Bruno Crispo, and Andrew Tanenbaumhave authored a paper describing
how the remotely readable tags can beprogrammed to infect the machines that read them and the databases thatstore their information.
Such malicious programs could then force thesystems to produce more infected tags, further spreading the virus.

http://www.epic.org/privacy/rfid/Deleted Gmails to be Turned Over in FTC CaseA federal magistrate judge has ordered that Google turn over all of theemail correspondence
of a Gmail user, including emails that he hasdeleted. The Federal Trade Commission, investigating a credit counselingscam, subpoenaed
the emails of Peter Baker, the owner of a companylinked to the case. The subpoena asked not only for the email in Baker'sGmail mailboxes,
but also for deleted emails that were retained onGoogle computers. Google's privacy policy says that copies of deletedemail may remain
on active servers for up to 60 days, or indefinitely onoffline backup servers.

http://www.epic.org/privacy/gmail/faq.htmlHomeland Security Gets Another 'F' for Computer SecurityA report by the House Government Reform Committee found that manyfederal agencies
are failing to protect their computer and informationnetworks. The committee gave the Department of Homeland Security an 'F'for a third straight year. The departments of Agriculture, Defense,Energy, State, Health and Human Services, Transportation, and VeteransAffairs
also received failing grades again this year. The annual reportbases the grades on information the agencies submit to the White HouseOffice
of Management and Budget, and the agencies' own internalassessments.

"Maps, as we know, help us find our way around. But they're also powerfultools for someone hoping to find you. Widely available in
electronic andpaper formats, maps offer revealing insights into our movements andactivities, even our likes and dislikes. In Spying
with Maps, the"mapmatician" Mark Monmonier looks at the increased use of geographicdata, satellite imagery, and location tracking
across a wide range offields such as military intelligence, law enforcement, market research,and traffic engineering. Could these
diverse forms of geographicmonitoring, he asks, lead to grave consequences for society? To assessthis very real threat, he explains
how geospatial technology works, whatit can reveal, who uses it, and to what effect.

Despite our apprehension about surveillance technology, Spying with Mapsis not a jeremiad, crammed with dire warnings about eyes in
the sky andinvasive tracking. Monmonier's approach encompasses both skepticism andthe acknowledgment that geospatial technology brings
with itunprecedented benefits to governments, institutions, and individuals,especially in an era of asymmetric warfare and bioterrorism.
Monmonierframes his explanations of what this new technology is and how it workswith the question of whether locational privacy is
a fundamental right.Does the right to be left alone include not letting Big Brother (or alegion of Little Brothers) know where we are or where we've been?
Whatsacrifices must we make for homeland security and open government?"EPIC Publications:

This annual report by EPIC and Privacy International provides anoverview of key privacy topics and reviews the state of privacy in
over60 countries around the world. The report outlines legal protections,new challenges, and important issues and events relating
to privacy.Privacy & Human Rights 2004 is the most comprehensive report on privacyand data protection ever published.

This is the standard reference work covering all aspects of the Freedomof Information Act, the Privacy Act, the Government in the Sunshine Act,and the Federal Advisory Committee Act. The 22nd edition fully updatesthe manual
that lawyers, journalists and researchers have relied on formore than 25 years. For those who litigate open government cases (orneed
to learn how to litigate them), this is an essential referencemanual.

This resource promotes a dialogue on the issues, the outcomes, and theprocess of the World Summit on the Information Society (WSIS).
Thisreference guide provides the official UN documents, regional andissue-oriented perspectives, and recommendations and proposals
forfuture action, as well as a useful list of resources and contacts forindividuals and organizations that wish to become more involved
in theWSIS process.

The Privacy Law Sourcebook, which has been called the "Physician's DeskReference" of the privacy world, is the leading resource for
students,attorneys, researchers, and journalists interested in pursuing privacylaw in the United States and around the world. It
includes the fulltexts of major privacy laws and directives such as the Fair CreditReporting Act, the Privacy Act, and the OECD Privacy
Guidelines, as wellas an up-to-date section on recent developments. New materials includethe APEC Privacy Framework, the Video Voyeurism
Prevention Act, and theCAN-SPAM Act.

[8] Upcoming Conferences and EventsBeyond the Basics: Advanced Legal Topics in Open Source andCollaborative Development in the Global Marketplace. University ofWashington
School of Law. March 21, 2006. Seattle, Washington. For moreinformation:http://www.law.washington.edu/lct/Events/FOSS/

Call for papers for the 34th Research Conference on Communication,Information, and Internet Policy. Telecommunications Policy ResearchConference.
Proposals should be based on current theoretical orempirical research relevant to communication and information policy, andmay be
from any disciplinary perspective. Deadline is March 31, 2006.For more information:http://www.tprc.org/TPRC06/call06.htm

CHI 2006 Workshop on Privacy-Enhanced Personalization. UC IrvineInstitute for Software Research and the National Science Foundation.April 22-23. Montreal, Quebec, Canada. For more information:http://www.isr.uci.edu/pep06/

The First International Conference on Legal, Security and Privacy Issuesin IT (LSPI). CompLex. April 30-May 2, 2006. Hamburg, Germany.
For moreinformation:http://www.kierkegaard.co.uk/

34th Research Conference on Communication, Information, and InternetPolicy. Telecommunications Policy Research Conference. September29-October
1, 2006. Arlington, Virginia. For more information:http://www.tprc.org/TPRC06/2006.htm

International Conference on Privacy, Security, and Trust (PST 2006).University of Ontario Institute of Technology. October 20-November 1,2006. Oshawa, Ontario, Canada. For more information:http://www.businessandit.uoit.ca/pst2006/

Privacy PolicyThe EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or
share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do
not enhance (link toother databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail addressfrom this list, please follow the above instructions under "subscriptioninformation."

If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible.
Checksshould be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,Suite 200, Washington, DC 20009. Or you can contribute
online at:

Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for the rightof privacy and efforts to oppose government regulation
of encryption andexpanding wiretapping powers.